Learn the top quick steps, then deepen your knowledge and learn more strategies with key IU resources from Protect IU and the IU Knowledge Base.
Plus, find high-quality training resources available at IU.
Think before you click—Quick steps
2. Rethink
If you can't verify the sender, do not click at all.
How: If the email refers to a known website, type that website address into a new browser window instead and check for information there.
3. Report
Suspect it's a phish? Send the alert.
How: Contact your campus UITS Support Center for help on how to report it.
Description of the video:
[ Music ]
>> Hold on there. Think before you click. One good way to recognize a phish or a malicious email is to verify the sender. Double-click on the sender's name to see the real email address. If using Gmail, move your mouse over the text, but don't click. If using a mobile device, tap instead. If the revealed email address isn't what you expected for that sender, beware it could be a phish. This email is definitely a phish. So ask yourself did you expect an email from this person or group? Is the sender's actual email address legitimate, including the full domain after the @ sign? If you can't verify the sender, do not click any links or take any requested action. Instead, look carefully at the email. If it appears suspicious, report it. There are even more ways to recognize a wolf in sheep's clothing, but checking the sender's real address is a good step. Find more tips to recognize, rethink, and report on phishing.iu.edu.
[ Sheep bleating ]
View the sender's real email address
Double-click or tap the sender's name to view the real email address. (In Gmail, hover over the sender's name, which means to move your mouse over the text but don't click.)
Make sure it matches the expected email address and has a legitimate domain after the @ symbol in the email address. (For example, "@ iu.edu" has a legitimate IU domain, but "@ indiana.me" does not have a legitimate IU email domain.)
Check for a digital signature
Look for the indication of a digital signature on the email, if you know the sender uses one. Not all IU members are required to use digital signatures, although it is a recommended best practice for those who are able.
Look for the trusted security footer on official IU emails
Official IU emails now use the secure IU Trusted Footer. This shows who the message is from and who it is intended for in the text at the bottom of the email.
Flag external emails
By recognizing quickly which emails are from non-IU senders, you can better spot potential phishing attempts. You can now turn on external email flagging with the new IU Security Center.
Think critically about the request
Think carefully about whether the named email source should make this type of request.
Get tips from Protect IU on spotting potential concerns.
Note: As of July 24, 2019, all IU email accounts will have external flagging turned on by default. Visit the Security Center for more information. Plus, view the latest Think Before You Click video about external email flagging.
Reveal actual URLs before clicking
Before clicking, make sure you trust the destination of the URL. Some links can trick viewers by having a safe URL as the viewable text, but the actual destination URL is a scam site. Remember the phrase "hover to discover." Here's how:
- On a desktop computer, to hover on a link, position your mouse cursor over the linked text without clicking on it. This will reveal a small text box that contains the full destination URL.
- On mobile devices, the technique to show the URL without opening the destination webpage can vary. Often, it involves a light-pressure long press.
Practice with this link. Hovering should reveal the URL "https://www.iu.edu/" in small text at the bottom left of this web browser window.
When you hover in your email, often the full URL will appear in small text right next to the link.
Before you click, always be sure you trust the full URL.
Description of the video:
[ Music ]>> Hold on. I would rethink this one. If you have not verified the sender, do not click on links in emails at all. If the email refers to a known website, type that website address into a new browser window instead to verify its authenticity. Even for trusted contacts and emails, it's a good idea to hover over the link first without clicking on it. This should reveal a small popup with the actual destination URL. Only click if you trust that revealed URL completely. This email is definitely a phish. So, think before you click. There are even more ways to recognize a wolf in sheep's clothing, but not clicking any links from unknown senders is a good step. Find more tips to recognize, rethink, and report on phishing.iu.edu.
[ Music ]
Avoid clicking links in emails
The best solution is to go directly to a known website address rather than clicking links in an email. Instead of clicking links in notification emails, go to the trusted website address and check for notices there.
Learn more about making sure a website is genuine.
Think critically about the message
Think critically about the way the email is worded and what the request is. Anything urgently requesting action regarding financial transactions or providing sensitive information should be a red flag to investigate carefully.
Get more tips from the Protect IU site on how to analyze messages.
View emails in plain text
Viewing emails in plain text can reveal details that scammers try to hide, including full URLs for all links.
Report the message in Outlook
You can use the built-in reporting features in Outlook to report suspicious email to the IT Security Office.
Report a phishing message in OutlookNever open attachments from unverified senders
If you can't verify the sender, don't click the attachment. Attachments are a key way that malware and harmful files are sent in phishing attacks.
Description of the video:
[ Music ]>> Good call. This email looks suspicious. If a suspected phishing email targets IU in any way, you can contact the UITS support center for help on how to report it. They will help you get the alert to IU's university information policy office, which can then evaluate the thread and minimize risk for the rest of the IU community. Outlook and student Gmail users at IU can also get a one-click reporting tool that takes care of reporting the phish to the policy office for you. To download this tool, search for PhishMe Reporter on iuware.iu.edu. And to learn more ways to report, visit phishing.iu.edu/report. While there are several ways to report a suspected phish, contacting UITS support center is a great way to get started. And if you do accidentally click on a suspected phish, contact the support center right away. So, feel free to squeal. Reporting a suspected phishing scam helps protect the entire IU community. Fine more tips to recognize, rethink and report on phishing.iu.edu.
[ Music ]
Contact your IT Pro or the UITS Support Center
If you don't have other means to report quickly, contact your IT Pro or the UITS Support Center.
UITS Support Center contact information
Forward the message to phishing@iu.edu with full headers
Using any major email provider, you can forward the message to phishing@iu.edu with full headers to report a suspected phishing email.
Learn how to forward with full headers
(Instructions for each email client are provided.)
Get more how-to help from Protect IU
The Protect IU website provides great resources for personal preparedness in online safety.
Key recommendations from the IU Knowledge Base
Avoid scams
To guard against phishing scams, consider the following:
- Indiana University and other reputable organizations will never use email to request that you reply with your password, full Social Security number, or confidential personal information. Be suspicious of any email message that asks you to enter or verify personal information, through a website or by replying to the message itself. Never reply to or click the links in such a message. If you think the message may be legitimate, go directly to the company's website (that is, type the real URL into your browser) or contact the company to see if you really do need to take the action described in the email message.
-
Read your email as plain text.
Phishing messages often contain clickable images that look legitimate; by reading messages in plain text, you can see the URLs that any images point to. Additionally, when you allow your mail client to read HTML or other non-text-only formatting, attackers can take advantage of your mail client's ability to execute code, which leaves your computer vulnerable to viruses, worms, and Trojans.
- If you choose to read your email in HTML format:
- Hover your mouse over the links in each email message to display the actual URL. Check whether the hover-text link matches what's in the text, and whether the link looks like a site with which you would normally do business.
On an iOS device, tap and hold your finger over a link to display the URL. Unfortunately, Android does not currently support this.
- Hover your mouse over the links in each email message to display the actual URL. Check whether the hover-text link matches what's in the text, and whether the link looks like a site with which you would normally do business.
When you recognize a phishing message, first report it as noted below, and then delete the email message from your Inbox, and then empty it from the deleted items folder to avoid accidentally accessing the websites it points to.
To learn more about guarding against phishing scams, see:
Training options to boost your defenses
Hold "Think before you click" workshops
Request a "Think before you click" instructor-led workshop with IT Training.